ambari-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Robert Levas <>
Subject Re: Failed to put kerberos descriptor via REST API
Date Fri, 08 Jan 2016 15:58:37 GMT
Hi Fay…

What version of Ambari are you using?  I believe the credential mechanism changed in Ambari

Before Ambari 2.2.0, the KDC administrator credential is stored in “session” and thus
a  HTTP session is needed to maintain access to this data between API calls.  The error message
indicates that this is what may be happening.  So to fix it, you need to establish a HTTP
session using CURL.

For Ambar 2.2.0 and up, the KDC administrator credential is stored in a server-wide keys store…
either in temporary or permitted storage. If you are using this version, then the error message
is incorrect and should actually direct you to use the credentials API – see
 No session is needed for this.


From: Fay Wang <<>>
Reply-To: Fay Wang <<>>
Date: Thursday, January 7, 2016 at 10:30 PM
To: Robert Levas <<>>
Cc: "<>" <<>>
Subject: Re: Failed to put kerberos descriptor via REST API

Thanks, Rob. Changing to POST works fine!
I am now able to kerberize the cluster using the REST API. However. starting services fails:

curl -H "X-Requested-By:ambari" -u admin:admin -i -X PUT -d '{"ServiceInfo": {"state" : "STARTED"}}'

HTTP/1.1 400 Bad Request
User: admin
Set-Cookie: AMBARISESSIONID=n1bo172w5po26xndrqfg95z9;Path=/;Secure;HttpOnly
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/plain
Content-Length: 460
Server: Jetty(8.1.17.v20150415)

  "status" : 400,
  "message" : "java.lang.IllegalArgumentException: Missing KDC administrator credentials.\nThe
KDC administrator credentials must be set in session by updating the relevant Cluster resource.This
may be done by issuing a PUT to the api/v1/clusters/(cluster name) API entry point with the
following payload:\n{\n  \"session_attributes\" : {\n    \"kerberos_admin\" : {\"principal\"
: \"(PRINCIPAL)\", \"password\" : \"(PASSWORD)\"}\n  }\n}"

I then issued the command as suggested by the above message:
curl -H "X-Requested-By:ambari" -u admin:admin -i -X PUT -d '{"session_attributes" : {"kerberos_admin"
: {"principal" : "fay/admin@EXAMPLE.COM<mailto:fay/admin@EXAMPLE.COM>", "password" :
"passw0rd"}}}' http://localhost:8080/api/v1/clusters/MyCluster

and then re-issued the start-service command. Still the start failed with the same error message.

Many thanks for your patience and help!


On Thursday, January 7, 2016 5:28 PM, Robert Levas <<>>

Hi Fay...
Instead of PUT, you should do a POST.  To create a new kerberos_descriptor artifact.  If a
kerberos_descriptor artifact already existed, then you out PUT to update it.
I'll have to check, is the documentation I correct or confusing?
On Jan 7, 2016, at 6:50 PM, Fay Wang <<>>
Thanks, Rob, for the info!

I am able to get the default kerberos descriptor via REST api, but
get an error when issuing the following command to update the descriptor:

curl -H "X-Requested-By:ambari" -u admin:admin -i -X PUT -d @/tmp/descriptor_update.json http://localhost:8080/api/v1/clusters/MyCluster/artifacts/kerberos_descriptor

HTTP/1.1 100 Continue

HTTP/1.1 404 Not Found
User: admin
Set-Cookie: AMBARISESSIONID=ia3j9lvqclb6fytb01x5c2vl;Path=/;Secure;HttpOnly
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/plain
Content-Length: 244
Server: Jetty(8.1.17.v20150415)

  "status" : 404,
  "message" : "org.apache.ambari.server.controller.spi.NoSuchResourceException: The requested
resource doesn't exist: Artifact not found, Artifacts/cluster_name=MyCluster AND Artifacts/artifact_name=kerberos_descriptor"

The content of /tmp/descriptor_update.json:

  "artifact_data" : {
    "services" : [
        "configurations" : [
            "core-site" : {
              "hadoop.proxyuser.HTTP.hosts" : "*"
        "name" : "HIVE"

Thanks in advance for the help!


View raw message